26 June 2015

calling import function ( IAT )

Import Address Table.


Section: .data
IAT in section idata
During Application loading into memory by Windows, all value at IAT will be resolve.
Import Address has been populated in IAT 



Assembly code:
Call to Windows API(GetVersion)
Reffering at 0x004012c8:

  • FF 15 :    indirect call
  • 38604000  >> 0x00046038  : contains 0x775944c7(address of GetVersion function)
  • EIP will jump to GetVersion().
  • Since its a CALL, execution will return to 0x004012CE afterwords

ref: http://win32assembly.programminghorizon.com/pe-tut6.html



18 June 2015

Cryptography

Key Type

  • Symmetric
    • same key to encrypt/decrypt
    • fast
    • Algorithms:
      • DES
      • 3DES
      • Blowfish
      • RC4, RC5, RC6
      • AES
  • Asymmetric
    • slow
    • public key
      • to encrypt
      • share to others/world
    • private key
      • to decrypt
      • keep by owner
    • Algorithms:
      • RSA
      • ECC
      • Diffie-Hellman
      • El Gamal
      • DSA


Methods Of Encryption
  • Block Cipher
    • use symmetric encryption
    • fix-length
      • pad added to short blocks

  • Stream Cipher
    • use symmetric encryption
    • 1 bit/byte at a time
    • should use different IV
  • Attributes
    • Confusion
      • cant determine the key based on ciphertext(encrypted data)
    • Diffusion
      • 1 change in plain text would output result at least 50% diff



Block Mode 


  • Mode is needed when data is larger than block size
  • Modes
    • ECB - Electronic Code Block
      • Weak
        • same chipher text for same block
          • refer https://www.youtube.com/watch?v=uPiqyQOMH1E , at 1:05
          • https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#/media/File:ECB_encryption.svg
    • CBC - Cipher Block Chaining
      • has additional parameter
        • use IV for first block
        • use ciphertext for the next block
      • usually just XOR the block with the extra param before encrypt using the key
      • ref: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#/media/File:CBC_decryption.svg
    • CFB - Cipher Feedback
    • OFB - Output Feedback
    • CTR - Counter
Types of Symmetric

04 June 2015

steghide (stegonography)

tools: steghide:



ref:
1) http://steghide.sourceforge.net/documentation/manpage.php

03 June 2015

Virtual Memory for Linux Process

Perbandingan Linux dan Windows:






Linux Virtual Process:




ref:
1)  http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/

29 May 2015

Virtual Address Space

Paged system



Pay Attention at 'Page Table'. This is how the translation from virtual address to physical address.



ref:
1) http://wiki.osdev.org/Paging

26 May 2015

volatility tips

to omit profile and memory_dump location

1)
$ export VOLATILITY_PROFILE=Win7SP1x64
$ export VOLATILITY_LOCATION=file:///path/to/MEMORY.DMP

$ python vol.py imageinfo



Connections/conscan/sockets/sockscan are for Windows XP/2003 only.
netscan plugin for anything Vista/2008/Win7





ref : 
1) http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&cad=rja&uact=8&ved=0CFUQFjAO&url=http%3A%2F%2Fkromer.pl%2Fmalware-analysis%2Fmemory-forensics-using-volatility-toolkit-to-extract-malware-samples-from-memory-dump%2F&ei=rEFkVa6xJsytuQSn0IHIBg&usg=AFQjCNEeYqBZ6ya72XwBSQ5NAoe7oGuELw&bvm=bv.93990622,d.c2E